EP2680182A1 - Mobile device and method to monitor a baseband processor in relation to the actions on an application processor - Google Patents

Mobile device and method to monitor a baseband processor in relation to the actions on an application processor Download PDF

Info

Publication number
EP2680182A1
EP2680182A1 EP13167024.2A EP13167024A EP2680182A1 EP 2680182 A1 EP2680182 A1 EP 2680182A1 EP 13167024 A EP13167024 A EP 13167024A EP 2680182 A1 EP2680182 A1 EP 2680182A1
Authority
EP
European Patent Office
Prior art keywords
baseband
mobile device
component
processor
application
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
EP13167024.2A
Other languages
German (de)
French (fr)
Other versions
EP2680182B1 (en
Inventor
Frank Rieger
Vadim Uvin
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Gsmk Gesellschaft fur Sichere Mobile Kommunikation Mbh
Original Assignee
Gsmk Gesellschaft fur Sichere Mobile Kommunikation Mbh
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Gsmk Gesellschaft fur Sichere Mobile Kommunikation Mbh filed Critical Gsmk Gesellschaft fur Sichere Mobile Kommunikation Mbh
Publication of EP2680182A1 publication Critical patent/EP2680182A1/en
Application granted granted Critical
Publication of EP2680182B1 publication Critical patent/EP2680182B1/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/121Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
    • H04W12/122Counter-measures against attacks; Protection against rogue devices
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/125Protection against power exhaustion attacks

Definitions

  • the invention disclosed herein describes devices and methods to mitigate and prevent over-the-air attacks against the baseband processor of mobile devices by means of monitoring the baseband processor's behavior, correlating this behavior with the intentions of the user (as expressed by the behavior of the application processor), and taking appropriate countermeasures against attacks.
  • Modem mobile devices typically, mobile phones and tablet computers with cellular network connectivity
  • the so called application CPU Central Processing Unit
  • the so called baseband CPU that runs all the necessary software to interface with the mobile network
  • GSM Global System for Mobile Communications 3G
  • CDMA Code Division Multiple Access
  • CDMA2000 Code Division Multiple Access 2000
  • UMTS Universal Mobile Telecommunications System or LTE (Long Term Evolution).
  • a mobile application processor is a system on a chip designed to support applications running in a mobile operating system environment.
  • the system on a chip can be physically independent from the baseband CPU as separate chip or can be implemented physically integrated into one chip together with the baseband CPU.
  • a mobile application processor provides a self-contained operating environment that delivers all system capabilities needed to support a device's applications, including memory management, graphics processing, and multimedia decoding.
  • Mobile application processors may be independent from other specialized processors in the same mobile device, such as a phone's baseband (wireless communications) processor.
  • OEM original equipment manufacturer
  • the Qualcomm Qualcomm Snapdragon mobile application processor is contained in many smart phones that use Qualcomm to run the Android operating system and Android applications. In this way, every phone manufacturer need not develop its own mobile application processor (atthough they can); this approach reduces bill-of-materials cost and makes it possible to develop low-cost "smart" consumer electronics.
  • a wide variety of mobile devices contain mobile application processors, including feature phones, smartphones, tablets, eReaders, netbooks, automotive navigation devices, and gaming consoles.
  • a baseband processor also known as baseband radio processor, BP, or BBP
  • BP baseband radio processor
  • BBP baseband radio processor
  • a baseband processor is a device (a chip or part of a chip) in a network interface that manages all the radio functions (all functions that require an antenna). This may or may not include WiFi and/or Bluetooth. It typically uses its own RAM and firmware. This RAM can also be shared with the application processor.
  • the reasons for separating the baseband processor from the application CPU are:
  • Baseband processors typically run a RTOS written in firmware: e.g. Nucleus RTOS (iPhone 3G/3GS/iPad), ENEA's OSE, VRTX, ThreadX (iPhone 4)
  • the BP and the AP can communicate and exchange information.
  • One possibility is to use shared memory, which is controlled by a memory controller or a memory management unit.
  • memory controller and memory management are used to identify the same unit which has the functionality of a memory controller, of a memory management unit, or of both.
  • the memory controller controls regions of the memory for the AP and the BP and in some areas concurrent access is possible by both the AP and the BP.
  • a bus system is possible over which the AP and the BP exchange information.
  • private memory sections with private memory controllers and a mutual memory controller for a shared area are possible solutions.
  • the memory controller is a digital circuit which manages the flow of data going to and from the main memory. It can be a separate chip or integrated into another chip, such as on the die of a microprocessor. This is also called a Memory Chip Controller (MCC). Memory controllers contain the logic necessary to read and write to RAM or DRAM, and to "refresh" the DRAM by sending current through the entire device. Without constant refreshes, DRAM will lose the data written to it as the capacitors leak their charge within a fraction of a second.
  • MCC Memory Chip Controller
  • Reading and writing to DRAM is performed by selecting the row and column data addresses of the DRAM as the inputs to the multiplexer circuit, where the demultiplexer on the DRAM uses the converted inputs to select the correct memory location and return the data, which is then passed back through a multiplexer to consolidate the data in order to reduce the required bus width for the operation.
  • the memory controller might be necessary to control the concurrent access to the RAM by different component of the device and the CPUs of the device.
  • the security situation for software running on the application CPU largely follows the methods and procedures developed for desktop computers (e.g. running anti-virus software, firewalls, restrict code execution to signed applications, etc.), the security of the baseband processor has been mostly ignored so far. This is despite of the fact that the baseband CPU is a complex hardware component in an exposed position: The baseband CPU is connected on one side to the mobile network(s) and on the other side to the application CPU. All data transmissions, phone calls, SMS messages, etc. from and to the mobile networks as requested by software running on the application CPU pass through the baseband CPU.
  • the attacker can for example cause the victim's mobile device to accept incoming calls without ringing or any user interaction (thus allowing the attacker to eavesdrop onto conversations held in the vicinity of the victim's phone), or let malicious software run on the baseband CPU to cause unintended behavior like monitoring of ongoing communications or exfiltration of critical data.
  • the security quality of the software running on today's baseband CPUs is on average rather low, as large parts of the necessary protocol stacks haven been written back in the 1990s, before secure programming guidelines were known or observed. Fixing or patching baseband software for security reasons is very seldom done by the device manufacturers. There is a multitude of reasons for this problem: The baseband chipsets are developed and manufactured by a very small group of specialized companies which typically supply both the chips and the software/firmware running on them. The baseband software is usually customized to the needs of the specific phone either by the baseband processor's manufacturer, the phone's manufacturer, or both. These relationships, interdependencies, and the question of code ownership are often complicated.
  • the resulting situation is detrimental to the security and protection of the mobile device's user against the types of over-the-air-attack described above. Even when new attacks are published and become widespread, the standard simple defense strategy of applying a software update may not be available.
  • the invention disclosed herein therefore describes the missing piece in the security armor: means and methods to mitigate and prevent these types of attacks.
  • the invention intends to provide a solution for the missing security on the baseband processor.
  • the attack In order to defend against an attack on the baseband CPU, the attack first needs to be detected.
  • the baseband firmware itself typically contains only insufficient or no provisions for detection of attacks, a new method is required.
  • One core idea behind the invention is to monitor the behavior of the baseband CPU, as reflected in various extermally observable signs, and correlate this behavior with information about the actual intended activities of the mobile device's user.
  • the invention consists of several components.
  • the data collection, aggregation and analysis of detected suspicious events from multiple mobile devices can be used by a centralized reporter monitoring component to distribute warnings to the users of either all or only a selected subset of mobile devices connected to the respective reporter component, to adjust the behavior of the evaluator mechanism of mobile devices connected to the respective reporter, and/or to initiate more extensive logging.
  • a centralized reporter monitoring component to distribute warnings to the users of either all or only a selected subset of mobile devices connected to the respective reporter component, to adjust the behavior of the evaluator mechanism of mobile devices connected to the respective reporter, and/or to initiate more extensive logging. This is done by centralized server structure which is connected to the devices over the intemet.
  • the initiation of countermeasures designed to ward off the suspicious/illegitimate baseband activities comprises one or more of the following: resetting the baseband processor, resetting the phone, forcing all connections to be dropped. It has to be noted that this list is not limited to the listed options.
  • the monitoring of communication interfaces or memory areas shared between application processor and baseband processor for patterns associated with exploit attempts comprises one or more of the following:
  • the collecting of information obtained from the baseband processor's debugging output comprises one or more of the following:
  • the evaluator component runs as an application on the application processor.
  • the evaluator component flags the absence of standard A5/1, A5/2, or A5/3 link encryption on GSM or 3G/UMTS/W-CDMA mobile networks which leads the defense component to issue a warning to the mobile device's user that link encryption has been deactivated.
  • the evaluator component flags the presence of a rogue base station that does not belong to the legitimate mobile network and the defense component wams the mobile device's user that a rogue base station (a so-called "IMSI catcher") has been detected, and/or the 'defense' component shuts down the baseband processor in order to prevent exploitation.
  • IMSI catcher a so-called "IMSI catcher”
  • An IMSI catcher is essentially a false mobile tower acting between the target mobile phone(s) and the service provider's real towers. As such it is considered a Man In the Middle (MITM) attack. It is used as an eavesdropping device used for interception and tracking of cellular phones and usually is undetectable for the users of mobile phones.
  • VTS virtual base transceiver station
  • IMSI International Mobile Subscriber Identity
  • the evaluator component categorizes activities on the baseband processor in different classes ranging from normal/inconspicious to highly suspicious,
  • the evaluator is plotting all the events in a diagram that shows baseband activity and suspectedness of baseband activities over time and displays this diagram on either the mobile device's screen or an external display device.
  • the evaluator component compiles the information on suspectedness of baseband activities over time in one single integrated graphical representation of the overall threat level in respect to the mobile device's baseband processor or in the form of a 'threat level thermometer' that is displayed on either the mobile device's screen or an external display device.
  • the evaluator component records baseband activity in a log file that can subsequently be read and combined with log files from other mobile devices by a centralized reporter component in order to arrive at an overview of the aggregated threat level to which multiple mobile devices are subject to.
  • the evaluator component transmits data on baseband activity and network parameters to a remote reporter entity which performs additional location-based analytics to determine the locations of hostile networks.
  • the reporter remote analytics entity sends out warnings and configuration changes to either all or only a selected subset of mobile devices in respect to detected hostile network activity (e.g. based on the mobile devices' location and the location of areas where over-the-air attacks heap up).
  • the reporter remote analytics entity sends out warnings about hostile network activity to dedicated connected devices which are mounted as stationary sensors in sensitive areas for the primary purpose of informing users who do not have the baseband monitor component installed on their mobile devices about ongoing suspicious/illegitimate activities.
  • mobile devices are connected to the centralized reporter monitoring component via a direct wireless data connection, or via a synchronization mechanism that is activated whenever the phone is connected to a desktop computer to synchronize data with it.
  • the central reporter component can adjust the behavior of the evaluator mechanism of mobile devices connected to the respective reporter component (e.g. by lowering the suspiciousness level before countermeasures are initiated, or initiating more extensive logging).
  • the defense component runs as an application on the application processor.
  • the baseband monitor component detects an ongoing call by monitoring the baseband processor, while at the same time, the application monitor component reports that the telephony software running on the application CPU has not initiated or accepted a call, then the evaluator mechanism will determine that the likelihood of malicious baseband behavior is high, and that this is very likely the result of an attack.
  • the invention provides a method to analyze the security of a mobile terminal, comprising an application processor (AP), a baseband processor (BP), the AP and the BP exchange information.
  • the method comprises the steps:
  • the information is stored in a possible embodiment in a database or container which can be accessed by a correlation engine to find correlations between at least two pieces of information above that indicate an unsecure situation, and triggering an alarm.
  • All these pieces of information are used to find a correlation between the information of the baseband-monitor application and the information of the application-monitor-application, that indicate an unsecure situation, and triggering an alarm.
  • a correlation engine defines and maintains pattern of secure and unsecure states is then matched against the currently present data by mathematical correlation methods, including but not limited to neural networks and statistical deviation analysis.
  • power consumption is analyzed by mathematical subtraction of the area under the curve for battery discharge and if the area of the expected discharge curve as computed on the base of application and operating system power usage deviates significantly from the actually measured discharge curve, the resulting area under the curve is large and an IP-session or phone call is ongoing over the BP an alarm is triggered.
  • a user setting is provided allowing the configuration of the sensitivity of the alarm and attack countermeasure routines, so the user is not overwhelmed by false alarms.
  • the mobile device is reset or all connections are forced to be dropped.
  • a further part of the invention is Mobile terminal comprising an application processor (AP), a baseband processor (BP), the AP and the BP exchange information, comprising a Baseband- monitor application and an Application-monitor application running on the AP or BP, the monitor applications are configured to collect one or more of the following information:
  • AP application processor
  • BP baseband processor
  • the monitor applications are configured to collect one or more of the following information:
  • a correlation application being configured to find correlations between at least two information above that indicate an unsecure situation, and triggering an alarm.
  • the correlation engine is configured to define and maintain pattern of secure and unsecure states, which are then matched against the currently present data by mathematical correlation methods, including but not limited to neural networks and statistical deviation analysis.
  • a Power consumption is analyzed by mathematical subtraction of the area under the curve for battery discharge and If the area of the expected discharge curve as computed on the base of application and operating system power usage deviates significantly from the actually measured discharge curve, the resulting area under the curve is large and a IP-session or phone calls is ongoing over the BP an alarm is triggred.
  • the correlation engine is configured to provide a user setting allowing the configuration of the sensitivity of the alarm and attack countermeasure routines, so the user is not overwhelmed by false alarms.
  • the mobile terminal wherein in case of the alarm the BP is reset, the mobile device is reset or all connections are forced to be dropped.
  • the Mobile device configured to detect an attack on a baseband processor comprising a baseband processor and an application processor, which may or may not be integrated in a single chip, comprising :
  • the components mentioned above can be software or hardware, in case of software they run on the application processors or on the baseband processor or partially on both. Also the applications can run on the BP or AP, or partially on the AP or BP, can be implemented in hardware or software or a combination thereof.
  • the invention consists in a possible configuration of the following components:
  • Baseband-Monitor that observes the behavior of the baseband. It uses all means available to determine the current behavior of the Baseband Processor (BP).
  • the Baseband-Monitor is an application which preferable runs as application on the application processor (AP). It is also possible that parts of the Baseband-Monitor runs as application on the BP.
  • Baseband-Monitor in the preferred embodiment uses the interfaces and functions the of the BP, which are provide by in the standard configuration. The information and the interfaces available differs depending on capabilities of the baseband processor and interfaces made available on a specific phone model/mobile terminal and includes but is not limited to:
  • the Baseband-Monitor provides a rich set of information on the current activities of the baseband.
  • the level of detail depends on the availability of data sources in the specific phone model. Not all data sources are usually available on all phone models.
  • the other component of the invention in the possible configuration of two components is a monitoring and alerting component that observes the parameters, time and duration of legitimate software and user activities on the application CPU that cause normal Baseband activities intended by the user. Under normal circumstances, most Baseband activities with some known exceptions are correlated with user interaction, like making a call or loading a web page, or known-to-be-good automated application activity, like checking e-mail.
  • Application use of baseband lives is monitored on the AP by various means like hooking or replacing the respective "provider" functions in the operating system that manage the communication with the baseband. This analyses can also be performed by checking the network traffic for example by sniffing the ports and the IP-packages, or by using proxies which are located between the applications and the baseband.
  • the communication between the AP and BP can be monitored by reading the shared memory which is normally used for an information exchange between the two units.
  • the activity for example the processor using of the applications can be monitored to detect if the application is very active or suspended. So the information of the process scheduler in the operating system can provide information.
  • the event table of the operating system can be check and verified. In the event table the applications running on the AP give a feedback of the actions and errors and warnings.
  • a monitoring on the AP can be given by tracking the use of a user interface like a keyboard or a touch screen. For example if a SMS has been send by an application without a detection of a user input a security problem can be given.
  • the same situation can be determined if the mobile terminal is in a standby mode and a SMS is sent or phone call is performed.
  • the monitoring application on the AP collects this information and stores the information over a defined time period in a database.
  • the storing and collecting of the information is done in defined time intervals or driven by events like interrupts.
  • Each collected information has in a possible implementation a time stamp which allows finding a time correlation.
  • the information can be categorized which allows the implementation of general concepts and rules on the categories.
  • the mechanism then correlates the data from the Baseband monitoring (described above) and the data from the application CPU monitoring to distinguish between legitimate and suspicious Baseband activities. Suspicious are activities that cause transmissions or resource consumption on the Baseband but are not correlated to legitimate user activities.
  • One very simple example is that if the Baseband is detected by the monitoring component to have an active call ongoing while no phone call is made or accepted by the telephony software, very likely this is the result of an attack.
  • the correlation engine of the invention builds a pattern of "normality" that is then matched against the currently present data by mathematical correlation methods, including but not limited to neural networks and statistical deviation analysis etc.
  • a simple example is the analysis of the battery discharge curve while taking into account the power usage of applications and sensors as provided by the operating system or seperate readout of power consumption data from respective phone sensors. If the actual discharge curve deviates from the expected precalculated discharge curve, malicious baseband activitiy is suspected.
  • These statistical concepts are well known so that a further discussion can be omitted.
  • logical dependencies can be expressed by definable expression, using conditional expression and logical conjunctions etc..
  • the detection of ongoing suspicious baseband activity can rely on one or a combination of data sources on Baseband and application CPU. Specific user usage patterns are taken into account by an adaption mechanism built into the correlation engine.
  • a user setting is provided to allow for a configuration of the sensitivity of the alarm and attack countermeasure routines, so the user is not overwhelmed by false alarms.
  • the battery current and voltage measurement is used to check for a deviation from the expected power consumption.
  • An ongoing attack that would e.g. use the baseband to transmit room audio to the attacker by means of a surreptitious call or periodic data transmissions would cause a deviation between power consumption actually measured at the battery and the expected consumption computed from the phones power profile.
  • countermeasures can be taken for instance but not limited to resetting the baseband, resetting the phone, forcing all connections to be dropped and / or alerting the phones user.

Abstract

Method and device to analyze the security of a mobile terminal, comprising an application processor (AP), a baseband processor (BP), the AP and the BP exchange information, comprising the steps:
a) acquiring by a Basband- monitor application and an Application-monitor application running on the mobile device one or more of the following information:
-Information from the BP about opening and closing of transmission channels to and from a base station;
-Infomation from the baseband CPU about protocol transmissions to and from the station;
-Information from the baseband CPU about the volume of data transmission;
- Measures response times to standard service requests from application CPU(AP) to baseband CPU (BP);
- Information of the power consumption of phone components;
- Information of the current and voltage delivered by the battery to the phone;
-Configuration of the the audio path , to determine which component or application is using the micro-phone;
- Monitor the running applications on the AP;
- Monitor the status of the running applications on the AP;
Monitor time or duration of applications running on the AP;
- Monitor the input or output of the applications running on the AP;
- Monitor the input of a user to a User-Interface.

Description

    Field of the Invention
  • The invention disclosed herein describes devices and methods to mitigate and prevent over-the-air attacks against the baseband processor of mobile devices by means of monitoring the baseband processor's behavior, correlating this behavior with the intentions of the user (as expressed by the behavior of the application processor), and taking appropriate countermeasures against attacks.
  • Backaround of Invention
  • Modem mobile devices (typically, mobile phones and tablet computers with cellular network connectivity) consist of at least two separate processors: The so called application CPU (Central Processing Unit), which runs the operating system, user interface and applications, and the so-called baseband CPU that runs all the necessary software to interface with the mobile network (e.g. GSM Global System for Mobile Communications, 3G, CDMA (Code Division Multiple Access), CDMA2000, UMTS Universal Mobile Telecommunications System, or LTE (Long Term Evolution).
  • A mobile application processor is a system on a chip designed to support applications running in a mobile operating system environment. The system on a chip can be physically independent from the baseband CPU as separate chip or can be implemented physically integrated into one chip together with the baseband CPU.
  • A mobile application processor provides a self-contained operating environment that delivers all system capabilities needed to support a device's applications, including memory management, graphics processing, and multimedia decoding.
  • Mobile application processors may be independent from other specialized processors in the same mobile device, such as a phone's baseband (wireless communications) processor.
  • Some vendors manufacture their own mobile application processors. Other vendors purchase their mobile application processors, using them as original equipment manufacturer (OEM) components. For example, the Qualcomm Snapdragon mobile application processor is contained in many smart phones that use Snapdragon to run the Android operating system and Android applications. In this way, every phone manufacturer need not develop its own mobile application processor (atthough they can); this approach reduces bill-of-materials cost and makes it possible to develop low-cost "smart" consumer electronics.
  • A wide variety of mobile devices contain mobile application processors, including feature phones, smartphones, tablets, eReaders, netbooks, automotive navigation devices, and gaming consoles.
  • A baseband processor (also known as baseband radio processor, BP, or BBP) is a device (a chip or part of a chip) in a network interface that manages all the radio functions (all functions that require an antenna). This may or may not include WiFi and/or Bluetooth. It typically uses its own RAM and firmware. This RAM can also be shared with the application processor.
  • The reasons for separating the baseband processor from the application CPU (known as the AP or Application Processor) are:
    1. 1. radio performance: radio control functions (signal modulation, encoding, radio frequency shifting, etc.) are highly timing dependant, and require a realtime OS
    2. 2. legal: some authorities (e.g. the U.S. Federal Communications Commission (FCC)) require that the entire software stack running on a device which communicates with the cellular network must be certified. Separating the BP into a different component allows reusing them without having to certify the full AP.
    3. 3. radio reliability: Separating the BP into a different component ensures proper radio operation while allowing application and OS changes.
  • Baseband processors typically run a RTOS written in firmware: e.g. Nucleus RTOS (iPhone 3G/3GS/iPad), ENEA's OSE, VRTX, ThreadX (iPhone 4)
  • Significant baseband manufacturers include MediaTek, Broadcom, lcera, Intel Mobile Communications- former infineon wireless division, Qualcomm, ST-Ericsson.
  • The BP and the AP can communicate and exchange information. One possibility is to use shared memory, which is controlled by a memory controller or a memory management unit. In this context the terms memory controller and memory management are used to identify the same unit which has the functionality of a memory controller, of a memory management unit, or of both. The memory controller controls regions of the memory for the AP and the BP and in some areas concurrent access is possible by both the AP and the BP. Also a bus system is possible over which the AP and the BP exchange information. Also private memory sections with private memory controllers and a mutual memory controller for a shared area are possible solutions. There is also a certain exchange of commandos between BP and AP, for example to initiate a call from an application running on the AP, or to start an application when a call is detected by the BP. The memory controller is a digital circuit which manages the flow of data going to and from the main memory. It can be a separate chip or integrated into another chip, such as on the die of a microprocessor. This is also called a Memory Chip Controller (MCC). Memory controllers contain the logic necessary to read and write to RAM or DRAM, and to "refresh" the DRAM by sending current through the entire device. Without constant refreshes, DRAM will lose the data written to it as the capacitors leak their charge within a fraction of a second.
    Reading and writing to DRAM is performed by selecting the row and column data addresses of the DRAM as the inputs to the multiplexer circuit, where the demultiplexer on the DRAM uses the converted inputs to select the correct memory location and return the data, which is then passed back through a multiplexer to consolidate the data in order to reduce the required bus width for the operation. Also the memory controller might be necessary to control the concurrent access to the RAM by different component of the device and the CPUs of the device.
  • While the security situation for software running on the application CPU largely follows the methods and procedures developed for desktop computers (e.g. running anti-virus software, firewalls, restrict code execution to signed applications, etc.), the security of the baseband processor has been mostly ignored so far. This is despite of the fact that the baseband CPU is a complex hardware component in an exposed position: The baseband CPU is connected on one side to the mobile network(s) and on the other side to the application CPU. All data transmissions, phone calls, SMS messages, etc. from and to the mobile networks as requested by software running on the application CPU pass through the baseband CPU.
  • With increasing availability of private GSM and 3G base stations, a so far largely neglected class of attacks against the security and integrity of a mobile device becomes feasible and, consequently, more widespread. This class of attacks is characterized by forcing or "seducing" the victim's mobile device to camp on a base station that is under the control of the attacker. The attacker then uses manipulated transmissions to trigger security vulnerabilities on the victim's mobile device (e.g. buffer overruns, memory corruption, stack overflows etc.) and cause the victim's mobile device to behave in ways favorable to the attacker. The attacker can for example cause the victim's mobile device to accept incoming calls without ringing or any user interaction (thus allowing the attacker to eavesdrop onto conversations held in the vicinity of the victim's phone), or let malicious software run on the baseband CPU to cause unintended behavior like monitoring of ongoing communications or exfiltration of critical data.
  • The security quality of the software running on today's baseband CPUs is on average rather low, as large parts of the necessary protocol stacks haven been written back in the 1990s, before secure programming guidelines were known or observed. Fixing or patching baseband software for security reasons is very seldom done by the device manufacturers. There is a multitude of reasons for this problem: The baseband chipsets are developed and manufactured by a very small group of specialized companies which typically supply both the chips and the software/firmware running on them. The baseband software is usually customized to the needs of the specific phone either by the baseband processor's manufacturer, the phone's manufacturer, or both. These relationships, interdependencies, and the question of code ownership are often complicated. The result is a situation where baseband firmware is typically only updated when there are problems with battery lifetime or data throughput. Building new baseband firmware is a process that might also involve the need to obtain new regulatory approvals from bodies like the Federal Communications Commission (FCC), which is a costly and time-consuming, such that the process may not be completed during the market life cycle of the mobile device in question.
  • The resulting situation is detrimental to the security and protection of the mobile device's user against the types of over-the-air-attack described above. Even when new attacks are published and become widespread, the standard simple defense strategy of applying a software update may not be available. The invention disclosed herein therefore describes the missing piece in the security armor: means and methods to mitigate and prevent these types of attacks.
  • Summarv of Invention
  • The invention intends to provide a solution for the missing security on the baseband processor.
  • In order to defend against an attack on the baseband CPU, the attack first needs to be detected. As the baseband firmware itself typically contains only insufficient or no provisions for detection of attacks, a new method is required. One core idea behind the invention is to monitor the behavior of the baseband CPU, as reflected in various extermally observable signs, and correlate this behavior with information about the actual intended activities of the mobile device's user. The invention consists of several components.
  • Method for detecting an attack on the baseband processor of a mobile device which contains a baseband processor and an application processor, which may or may not be integrated in a single chip, comprising the steps:
    1. a) monitoring, by dedicated baseband monitor software (can also be a hardware component), the behavior of the baseband processor by using features available on the respective mobile device,
    2. b) monitoring, by a dedicated application monitor component (which can be implemented in either software or hardware), the behavior of the application processor by keeping a record of the parameters, execution time, and execution duration of legitimate software and user activities on the application processor that cause normal baseband activities as intended by the user;
    3. c) correlating by an evaluator component (which can be implemented in either software or hardware) the baseband processor behavior with application processor behavior in order to distinguish between legitimate and suspicious/illegitimate baseband activities,
    4. d) initiation of countermeasures by a defense component (which can be implemented in either software or hardware) designed to ward off the suspicious/illegitimate baseband activities.
  • In a possible embodiment the data collection, aggregation and analysis of detected suspicious events from multiple mobile devices can be used by a centralized reporter monitoring component to distribute warnings to the users of either all or only a selected subset of mobile devices connected to the respective reporter component, to adjust the behavior of the evaluator mechanism of mobile devices connected to the respective reporter, and/or to initiate more extensive logging. This is done by centralized server structure which is connected to the devices over the intemet.
  • In a possible embodiment the initiation of countermeasures designed to ward off the suspicious/illegitimate baseband activities comprises one or more of the following: resetting the baseband processor, resetting the phone, forcing all connections to be dropped. It has to be noted that this list is not limited to the listed options.
  • In a possible embodiment the monitoring by the baseband monitor comprises one or more of the following:
    • collecting information on power consumption of individual hardware components of the mobile device,
    • collecting information on audio path configuration,
    • collecting information on the response time to normal service requests from the application processor to the baseband processor;
    • monitoring of communication interfaces or memory areas shared between application processor and baseband processor for atypical communication patterns,
    • monitoring of communication interfaces and memory areas shared between application processor and baseband for patterns associated with exploit attempts,
    • collecting information obtained from the baseband processor's debugging output. It has to be noted that this list is not limited to the listed options.
  • In a possible embodiment the monitoring of communication interfaces or memory areas shared between application processor and baseband processor for patterns associated with exploit attempts, comprises one or more of the following:
    • Monitoring malformated messages or data structures or very large data blocks;
    • Monitoring the usage of procedures, functions, features or messages not seen in normal operations;
    • Monitoring attempts to access memory areas not consistent with normal operations.
    It has to be noted that this list is not limited to the listed options.
  • In a possible embodiment the collecting of information obtained from the baseband processor's debugging output comprises one or more of the following:
    • timing and volume of voice call setup attempts,
    • timing and volume of data transmission,
    • timing and volume of SMS message transmission,
    • timing and sequence of establishment of traffic channels.
  • In a possible embodiment the evaluator component runs as an application on the application processor.
  • In a possible embodiment the evaluator component flags the absence of standard A5/1, A5/2, or A5/3 link encryption on GSM or 3G/UMTS/W-CDMA mobile networks which leads the defense component to issue a warning to the mobile device's user that link encryption has been deactivated.
  • In a possible embodiment the evaluator component flags the presence of a rogue base station that does not belong to the legitimate mobile network and the defense component wams the mobile device's user that a rogue base station (a so-called "IMSI catcher") has been detected, and/or the 'defense' component shuts down the baseband processor in order to prevent exploitation.
  • An IMSI catcher is essentially a false mobile tower acting between the target mobile phone(s) and the service provider's real towers. As such it is considered a Man In the Middle (MITM) attack. It is used as an eavesdropping device used for interception and tracking of cellular phones and usually is undetectable for the users of mobile phones. Such a virtual base transceiver station (VBTS) is a device for identifying the International Mobile Subscriber Identity (IMSI) of a nearby GSM mobile phone and intercepting its calls and messages.
  • In a possible embodiment the evaluator component flags the presence of a rogue base station that does not belong to the legitimate mobile network using one or more of the following pieces of information:
    • cell identification, distance, and signal strength,
    • signal growth/attenuation,
    • forced network change from 3G to 2G network,
    • unusual changes in the list of neighboring cells,
    • unusual configuration parameters of the mobile base station designed to make it appear more 'attractive' to the targeted mobile device(s),
    • network parameters not consistent with the mobile device's location and/or the currently selected mobile network operator
    It has to be noted that this list is not limited to the listed options.
  • In a possible embodiment the evaluator component categorizes activities on the baseband processor in different classes ranging from normal/inconspicious to highly suspicious,
  • In a possible embodiment the evaluator is plotting all the events in a diagram that shows baseband activity and suspectedness of baseband activities over time and displays this diagram on either the mobile device's screen or an external display device.
  • In a possible embodiment the evaluator component compiles the information on suspectedness of baseband activities over time in one single integrated graphical representation of the overall threat level in respect to the mobile device's baseband processor or in the form of a 'threat level thermometer' that is displayed on either the mobile device's screen or an external display device.
  • In a possible embodiment the evaluator component records baseband activity in a log file that can subsequently be read and combined with log files from other mobile devices by a centralized reporter component in order to arrive at an overview of the aggregated threat level to which multiple mobile devices are subject to.
  • In a possible embodiment the evaluator component transmits data on baseband activity and network parameters to a remote reporter entity which performs additional location-based analytics to determine the locations of hostile networks.
  • In a possible embodiment the reporter remote analytics entity sends out warnings and configuration changes to either all or only a selected subset of mobile devices in respect to detected hostile network activity (e.g. based on the mobile devices' location and the location of areas where over-the-air attacks heap up).
  • In a possible embodiment the reporter remote analytics entity sends out warnings about hostile network activity to dedicated connected devices which are mounted as stationary sensors in sensitive areas for the primary purpose of informing users who do not have the baseband monitor component installed on their mobile devices about ongoing suspicious/illegitimate activities.
  • In a possible embodiment mobile devices are connected to the centralized reporter monitoring component via a direct wireless data connection, or via a synchronization mechanism that is activated whenever the phone is connected to a desktop computer to synchronize data with it.
  • In a possible embodiment the central reporter component can adjust the behavior of the evaluator mechanism of mobile devices connected to the respective reporter component (e.g. by lowering the suspiciousness level before countermeasures are initiated, or initiating more extensive logging).
  • In a possible embodiment the defense component runs as an application on the application processor.
  • In the following an example will be discussed. If the baseband monitor component detects an ongoing call by monitoring the baseband processor, while at the same time, the application monitor component reports that the telephony software running on the application CPU has not initiated or accepted a call, then the evaluator mechanism will determine that the likelihood of malicious baseband behavior is high, and that this is very likely the result of an attack.
  • In an alternative embodiment the invention provides a method to analyze the security of a mobile terminal, comprising an application processor (AP), a baseband processor (BP), the AP and the BP exchange information. The method comprises the steps:
    1. a) acquiring by a Baseband-monitor application and an Application-monitor application running on the mobile device one or more of the following information:
      • Information from the BP about opening and closing of transmission channels to and from a base station;
      • Information from the baseband CPU about protocol transmissions to and from the base station;
      • Information from the baseband CPU about the volume of data transmission;
      • Measurement data of response times to standard service requests from application CPU(AP) to baseband CPU (BP);
      • Information on the power consumption of phone components;
      • Information on the current voltage delivered by the battery to the phone;
      • Configuration of the audio path, to determine which component or application is using the micro-phone ;
      • Monitor the running applications on the AP;
      • Monitor the status of the running applications on the AP;
      • Monitor time or duration of applications running on the AP;
      • Monitor the input or output of the applications running on the AP;
      • Monitor the input of a user to a User-Interfaces.
  • The information is stored in a possible embodiment in a database or container which can be accessed by a correlation engine to find correlations between at least two pieces of information above that indicate an unsecure situation, and triggering an alarm.
  • In a possible embodiment the Baseband-monitor application acquires one or more of the following information:
    • Information from the BP about opening and closing of transmission channels to and from a base station;
    • Information from the baseband CPU about protocol transmissions to and from the base station;
    • Information from the baseband CPU about the volume of data transmission;
    • Measures response times to standard service requests from application CPU(AP) to baseband CPU (BP). Furthermore the application monitor application acquires one or more of the following information :
    • Information of the power consumption of phone components;
    • Information of the current and voltage delivered by the battery to the phone;
    • Monitors the audio path configuration, by determining which component or application is using the micro-phone;
    • Monitor the running applications on the AP;
    • Monitor the status of the running applications on the AP;
    • Monitor time or duration of applications running on the AP;
    • Monitor the input or output of the applications running on the AP;
    • Monitor the input of a user to a User-Interface;
  • All these pieces of information are used to find a correlation between the information of the baseband-monitor application and the information of the application-monitor-application, that indicate an unsecure situation, and triggering an alarm.
  • In a possible embodiment a correlation is defined being likely secure for one or more of the following:
    • if the user inputs information to a User-Interface and an application is running which is defined as the receiver of the information inputted, and network connection on the BP is opened after the inputted information;
    • if a web-browser application is started or activated and user input is detected which is directed to the web-browser application and a IP-Session is opened by the BP;
    • if an email-application is running and is checking for new emails and an IP-Session is opened by the BP;
    • if a phone call application is started, user input is detected, and a voice session is opened by the BP;
    • if a phone call application is started and has opened a voice connection over the BP a speaker path to the phone call application is allowed;
    • if an instant messaging communication is initiated or received by the user and an IP-Session is opened by the BP;
    • if software or system updates are initiated by the user or authorized system services, and an IP-Session is opened by the BP.
  • In a possible embodiment a correlation is defined being likely unsecure for one or more of the following:
    • if a phone call is ongoing while no phone call is made or accepted by the phone call application or telephony application;
    • if the microphone is active and a phone call is ongoing over the BP while no phone call is made accepted by the phone call application or telephony application;
    • if the microphone is assigned to an application that is not allowed to have access to the microphone and which transfers data over the BP as a phone call or a IP-Session;
    • if the mobile device is an idle or sleep mode, while large amount of data from the storage device of the phone is transferred over a IP-session opened by the BP;
    • if the actual power consumption is larger than the displayed power consumption and a IP-session is opened by the BP to transfer data;
    • if the actual power differs from the expected power consumption and a IP-session or phone calls is ongoing over the BP.
  • In a possible embodiment a correlation engine defines and maintains pattern of secure and unsecure states is then matched against the currently present data by mathematical correlation methods, including but not limited to neural networks and statistical deviation analysis.
  • In a possible embodiment power consumption is analyzed by mathematical subtraction of the area under the curve for battery discharge and if the area of the expected discharge curve as computed on the base of application and operating system power usage deviates significantly from the actually measured discharge curve, the resulting area under the curve is large and an IP-session or phone call is ongoing over the BP an alarm is triggered.
  • In a possible embodiment a user setting is provided allowing the configuration of the sensitivity of the alarm and attack countermeasure routines, so the user is not overwhelmed by false alarms.
  • In a possible embodiment in case of the alarm the BP is reset, the mobile device is reset or all connections are forced to be dropped.
  • A further part of the invention is Mobile terminal comprising an application processor (AP), a baseband processor (BP), the AP and the BP exchange information, comprising a Baseband- monitor application and an Application-monitor application running on the AP or BP, the monitor applications are configured to collect one or more of the following information:
    • Information from the BP about opening and closing of transmission channels to and from a base station;
    • Information from the baseband CPU about protocol transmissions to and from the base station;
    • Information from the baseband CPU about the volume of data transmission;
    • Measures response times to standard service requests from application CPU(AP) to baseband CPU (BP);
    • Information of the power consumption of phone components;
    • Information of the current and voltage delivered by the battery to the phone;
    • Configuration of the audio path, to determine which component or application is using the micro-phone;
    • Monitor the running applications on the AP;
    • Monitor the status of the running applications on the AP;
    • Monitor time or duration of applications running on the AP;
    • Monitor the input or output of the applications running on the AP;
    • Monitor the input of a user to a User-Interfaces;
  • further comprising a correlation application being configured to find correlations between at least two information above that indicate an unsecure situation, and triggering an alarm.
  • In a possible embodiment of the mobile terminal the Baseband- monitor application acquires one or more of the following information:
    • Information from the BP about opening and closing of transmission channels to and from a base station;
    • Information from the baseband CPU about protocol transmissions to and from the base station;
    • Information from the baseband CPU about the volume of data transmission;
    • Measures response times to standard service requests from application CPU(AP) to baseband CPU (BP); and wherein the application monitor application acquires one or more of the following information:
    • Information of the power consumption of phone components;
    • Information of the current and voltage delivered by the battery to the phone;
    • Monitors the audio path configuration, by determining which component or application is using the micro-phone;
    • Monitor the running applications on the AP;
    • Monitor the status of the running applications on the AP;
    • Monitor time or duration of applications running on the AP;
    • Monitor the input or output of the applications running on the AP;
    • Monitor the input of a user to a User-Interface;
    and the correlation application is configured to find correlation between the information of the baseband-monitor application and the information of the application-monitor-application, above that indicate an unsecure situation, and triggering an alarm.
  • In a possible embodiment of the mobile terminal a correlation is defined being likely secure for one or more of the following:
    • if the user inputs information to a User-Interface and an application is running which is defined as the receiver of the information inputed, and network connection on the BP is opened after the inputted information;
    • if a web-browser application is started or activated and user input is detected which is directed to the web-browser application and a IP-Session is opened by the BP;
    • if a email-application is running and is checking for new emails and an IP-Session is opened by the BP;
    • if a phone call application is started user input is detected and a voice session is opened by the BP;
    • if a phone call application is started and has opened a voice connection over the BP an speaker path to the phone call application is allowed;
    • if an instant messaging communication is initiated or received by the user and an IP-Session is opened by the BP;
    • if software or system updates are initiated by the user or authorized system services, and an IP-Session is opened by the BP.
  • In a possible embodiment of the mobile terminal a correlation is defined being likely unsecure for one or more of the following:
    • if a phone call is ongoing while no phone call is made or accepted by the phone call application or telephony application;
    • if the microphone is active and a phone call is ongoing over the BP while no phone call is made accepted by the phone call application or telephony application;
    • if the microphone is assigned to an application that is not allowed to have access to the microphone and which transfers data over the BP as a phone call or a IP-Session;
    • if the mobile device is an idle or sleep mode, while large amount of data from the storage device of the phone is transferred over a IP-session opened by the BP;
    • if the actual power consumption is larger than the displayed power consumption and a IP-session is opened by the BP to transfer data;
    • if the actual power differs from the expected power consumption and a IP-session or phone calls is ongoing over the BP:
  • In a possible embodiment of the mobile terminal the correlation engine is configured to define and maintain pattern of secure and unsecure states, which are then matched against the currently present data by mathematical correlation methods, including but not limited to neural networks and statistical deviation analysis.
  • In a possible embodiment of the mobile terminal a Power consumption is analyzed by mathematical subtraction of the area under the curve for battery discharge and If the area of the expected discharge curve as computed on the base of application and operating system power usage deviates significantly from the actually measured discharge curve, the resulting area under the curve is large and a IP-session or phone calls is ongoing over the BP an alarm is triggred.
  • In a possible embodiment of the mobile terminal the correlation engine is configured to provide a user setting allowing the configuration of the sensitivity of the alarm and attack countermeasure routines, so the user is not overwhelmed by false alarms.
    In a possible embodiment of the mobile terminal wherein in case of the alarm the BP is reset, the mobile device is reset or all connections are forced to be dropped.
  • Another aspect of the invention is a mobile device, that implements the above mentioned aspects. The Mobile device configured to detect an attack on a baseband processor comprising a baseband processor and an application processor, which may or may not be integrated in a single chip, comprising :
    1. a) baseband monitor component configured to monitor the behavior of the baseband processor by using features available on the respective mobile device.
    2. b) application monitor component configured to monitor the behavior of the application processor by keeping a record of the parameters, execution time or execution duration of legitimate software or user activities on the application processor that cause normal baseband activities as intended by the user;
    3. c) evaluator component configured to correlate the baseband processor behavior with application processor behavior in order to distinguish between legitimate and suspicious/illegitimate baseband activities,
    4. d) defense component configured to initiate component of countermeasures designed to ward off the suspicious/illegitimate baseband activities.
    The other possible configurations of the mobile device which are described in the appended claims implement the method above.
  • It has to be noted, that the components mentioned above can be software or hardware, in case of software they run on the application processors or on the baseband processor or partially on both.
    Also the applications can run on the BP or AP, or partially on the AP or BP, can be implemented in hardware or software or a combination thereof.
  • The invention consists in a possible configuration of the following components:
  • One component is a Baseband-Monitor that observes the behavior of the baseband. It uses all means available to determine the current behavior of the Baseband Processor (BP). The Baseband-Monitor is an application which preferable runs as application on the application processor (AP). It is also possible that parts of the Baseband-Monitor runs as application on the BP. Baseband-Monitor in the preferred embodiment uses the interfaces and functions the of the BP, which are provide by in the standard configuration. The information and the interfaces available differs depending on capabilities of the baseband processor and interfaces made available on a specific phone model/mobile terminal and includes but is not limited to:
    • 1. Information from the baseband CPU about opening and closing of transmission channels to and from a base station
    • 2. Information from the baseband CPU about protocol transmissions to and from the base station
    • 3. Information from the baseband CPU about the volume of data transmission
      Further the Baseband-Monitor
    • 4. Monitors and records the power consumption of phone components (as available)
    • 5. Records the current and voltage delivered by the battery to the phone.
    • 6. Monitors the audio path configuration (e.g. which component is using the microphone)
    • 7. Measures response times to normal service requests from application CPU(AP) to baseband CPU (BP)
  • Using these data points the Baseband-Monitor provides a rich set of information on the current activities of the baseband. The level of detail depends on the availability of data sources in the specific phone model. Not all data sources are usually available on all phone models.
  • The other component of the invention in the possible configuration of two components is a monitoring and alerting component that observes the parameters, time and duration of legitimate software and user activities on the application CPU that cause normal Baseband activities intended by the user. Under normal circumstances, most Baseband activities with some known exceptions are correlated with user interaction, like making a call or loading a web page, or known-to-be-good automated application activity, like checking e-mail. Application use of baseband ressources is monitored on the AP by various means like hooking or replacing the respective "provider" functions in the operating system that manage the communication with the baseband. This analyses can also be performed by checking the network traffic for example by sniffing the ports and the IP-packages, or by using proxies which are located between the applications and the baseband. Also the communication between the AP and BP can be monitored by reading the shared memory which is normally used for an information exchange between the two units. Also the activity for example the processor using of the applications can be monitored to detect if the application is very active or suspended. So the information of the process scheduler in the operating system can provide information. Also the event table of the operating system can be check and verified. In the event table the applications running on the AP give a feedback of the actions and errors and warnings. Also a monitoring on the AP can be given by tracking the use of a user interface like a keyboard or a touch screen. For example if a SMS has been send by an application without a detection of a user input a security problem can be given. The same situation can be determined if the mobile terminal is in a standby mode and a SMS is sent or phone call is performed. The monitoring application on the AP collects this information and stores the information over a defined time period in a database. The storing and collecting of the information is done in defined time intervals or driven by events like interrupts. Each collected information has in a possible implementation a time stamp which allows finding a time correlation. Furthermore the information can be categorized which allows the implementation of general concepts and rules on the categories.
  • The mechanism then correlates the data from the Baseband monitoring (described above) and the data from the application CPU monitoring to distinguish between legitimate and suspicious Baseband activities. Suspicious are activities that cause transmissions or resource consumption on the Baseband but are not correlated to legitimate user activities.
    One very simple example is that if the Baseband is detected by the monitoring component to have an active call ongoing while no phone call is made or accepted by the telephony software, very likely this is the result of an attack.
  • The correlation engine of the invention builds a pattern of "normality" that is then matched against the currently present data by mathematical correlation methods, including but not limited to neural networks and statistical deviation analysis etc. A simple example is the analysis of the battery discharge curve while taking into account the power usage of applications and sensors as provided by the operating system or seperate readout of power consumption data from respective phone sensors. If the actual discharge curve deviates from the expected precalculated discharge curve, malicious baseband activitiy is suspected. These statistical concepts are well known so that a further discussion can be omitted. Also logical dependencies can be expressed by definable expression, using conditional expression and logical conjunctions etc.. The detection of ongoing suspicious baseband activity can rely on one or a combination of data sources on Baseband and application CPU. Specific user usage patterns are taken into account by an adaption mechanism built into the correlation engine. A user setting is provided to allow for a configuration of the sensitivity of the alarm and attack countermeasure routines, so the user is not overwhelmed by false alarms.
  • In the most simple case when very little data is available to the Baseband Monitor, the battery current and voltage measurement is used to check for a deviation from the expected power consumption. An ongoing attack that would e.g. use the baseband to transmit room audio to the attacker by means of a surreptitious call or periodic data transmissions would cause a deviation between power consumption actually measured at the battery and the expected consumption computed from the phones power profile.
  • When suspicious activity is detected in the form of deviation between expected and actual power use, open channels to the base station, data transmission, audio circuit configuration, response times etc. countermeasures can be taken for instance but not limited to resetting the baseband, resetting the phone, forcing all connections to be dropped and / or alerting the phones user.
  • Brief Description of Drawinas
  • The Figures show examples of possible implementations but do not intend to limit the application on these embodiments. Consequently the scope of protection has to be determined by the broadest interpretation of the claims.
    • Fig. 1 shows a structure of components and their connection;
    • Fig. 2 shows the flow diagram of the method AP monitor application;
    • Fig. 3 shows the flow diagram of the method BP monitor application;
    • Fig. 4 shows the flow diagram of the method correlation engine;
    Detailed Description of Embodiments
    • Fig. 1 disclosss a structure of a mobile device with a BP running an operating system OS and with an AP running an OS. On the OS of the AP an application monitor application is running which implements the collection of information. Furthermore the baseband monitor application is running on the AP collecting information. The information are used by a correlation engine application which has access to the collected information. A memory controller MC is controlled by a firmware / program. The MC is connected to the memory and controls a memory that is logical divided into shared memory, AP memory and BP memory. The logical separation is provided by the memory controller and the firmware. The memory controller is connected to the BP and AP.
    • Fig. 2 shows a flow diagram of the application monitor that collects specific data and stores the date in a database. The data can be collected cyclic or event driven. Fig.3 shows a flow diagram of the baseband monitor application that collects specific data and stores the date in a database. The data can be collected cyclic or event driven. Fig. 4 shows a flow diagram of the correlation that has access to the database and reads the information to find unsecure patterns by finding the unsecure correlation. In case of finding a unsecure correlation an alarm is triggered.

Claims (16)

  1. Method for detecting an attack on a baseband processor of a mobile device which comprises the baseband processor and an application processor, which may or may not be integrated in a single chip, comprising the steps:
    a) monitoring by a baseband monitor component the behavior of the baseband processor by using features available on the respective mobile device,
    b) monitoring by an application monitor component the behavior of the application processor by keeping a record of the parameters, execution time or execution duration of legitimate software or user activities on the application processor that cause normal baseband activities as intended by the user,
    c) correlating by an evaluator component the baseband processor behavior with application processor behavior in order to distinguish between legitimate and suspicious/illegitimate baseband activities,
    d) initiation by a defense component of countermeasures designed to ward off the suspicious/illegitimate baseband activities.
  2. The method according to claim 1, wherein the initiation of countermeasures designed to ward off the suspicious/illegitimate baseband activities comprises one or more of the following: resetting the baseband processor, resetting the phone, forcing all connections to be dropped.
  3. The method according to claim 1 or 2, wherein the monitoring by the baseband monitor comprises one or more of the following:
    - collecting information on power consumption of individual hardware components of the mobile device,
    - collecting information on audio path configuration,
    - collecting information on the response time to normal service requests from the application processor to the baseband processor;
    - monitoring of communication interfaces or memory areas shared between application processor and baseband processor for atypical communication patterns,
    - monitoring of communication interfaces and memory areas shared between application processor and baseband for patterns associated with exploit attempts,
    - collecting information obtained from the baseband processor's debugging output and preferably wherein the monitoring of communication interfaces or memory areas shared between application processor and baseband for patterns associated with exploit attempts, comprises one or more of the following:
    - Monitoring malformated messages or data structures or very large data blocks;
    - Monitoring the usage of procedures, functions, features or messages not seen in normal operations;
    - Monitoring attempts to access memory areas not consistent with normal operations.
    and preferably wherein the collecting of information obtained from the baseband processor's debugging output comprises one or more of the following:
    timing and volume of voice call setup,
    timing and volume of data transmission,
    timing and volume of SMS message transmission,
    timing and sequence of establishment of traffic channels.
  4. Method according to any of the claims 1 to 3, wherein the evaluator component flags the absence of standard A5/1, A5/2, or A5/3 link encryption on GSM or 3G/UMTS/W-CDMA mobile networks which leads the defense component to issue a warning to the mobile device's user that link encryption has been deactivated.
  5. Method according to any of the claims 1 to 4, wherein the evaluator component flags the presence of a rogue base station that does not belong to the legitimate mobile network and the defense component warning the mobile device's user that a rogue base station (a so-called "IMSI catcher") has been detected and/or the defense component shutting down the baseband processor in order to prevent exploitation,
    and preferably wherein the evaluator component flags the presence of a rogue base station that does not belong to the legitimate mobile network using one or more of the following information:
    - cell identification, distance, and signal strength,
    - signal growth/attenuation,
    - forced network change from 3G to 2G network,
    - unusual changes in the list of neighboring cells,
    - unusual configuration parameters of the mobile base -station designed to make it appear more 'attractive' to the targeted mobile device(s),
    - network parameters not consistent with the mobile device's location and/or the currently selected mobile network operator
  6. Method according to any of the claims 1 to 5, wherein the evaluator component categorizes activities on the baseband processor in different classes ranging from normal/inconspicious to highly suspicious,
    and preferably wherein the evaluator is plotting all the events in a diagram that shows baseband activity and suspectedness of baseband activities over time and that is displayed on either the mobile device's screen or an external display device,
    and preferably, wherein the evaluator component compiles the information on suspectedness of baseband activities over time in one single integrated graphical representation of the overall threat level in respect to the mobile device's baseband processor or in the form of a 'threat level thermometer' that is displayed on either the mobile device's screen or an external display device.
  7. Method according to any of the claims 1 to 6, wherein the evaluator component records baseband activity in a log file that can subsequently be read and combined with log files from other mobile devices by the reporter component in order to arrive at an overview of the aggregated threat level to which multiple mobile devices are subject to.
  8. Method according to any of the claims 1 to 7, wherein the evaluator component transmits data on baseband activity and network parameters to a remote reporter entity which performs additional location-based analytics to determine the locations of hostile networks.
    and preferably wherein the reporter remote analytics entity sends out warnings and configuration changes to mobile devices in respect to detected hostile network activity.
    and preferably wherein the reporter remote analytics entity sends out warnings about hostile network activity to dedicated connected devices which are mounted as stationary sensors in sensitive areas for the primary purpose of informing users who do not have the baseband monitor component installed on their mobile devices about ongoing suspicious/illegitimate activities.
  9. Mobile device configured to detect an attack on a baseband processor comprising a baseband processor and an application processor, which may or may not be integrated in a single chip, comprising :
    a) baseband monitor component configured to monitor the behavior of the baseband processor by using features available on the respective mobile device,
    b) application monitor component configured to monitor the behavior of the application processor by keeping a record of the parameters, execution time or execution duration of legitimate software or user activities on the application processor that cause normal baseband activities as intended by the user;
    c) evaluator component configured to correlate the baseband processor behavior with application processor behavior in order to distinguish between legitimate and suspicious/illegitimate baseband activities,
    d) defense component configured to initiate component of countermeasures designed to ward off the suspicious/illegitimate baseband activities.
  10. Mobile device according to claim 9, wherein the defense component is configured to initiate countermeasures designed to ward off the suspicious/legitimate baseband activities comprises one or more of the following: resetting the baseband processor, resetting the phone, forcing all connections to be dropped.
  11. Mobile device according to claim 9 or 10, wherein the baseband monitor component is configured to implement one or more of the following:
    - collecting information on power consumption of individual hardware components of the mobile device,
    - collecting information on audio path configuration,
    - collecting information on the response time to normal service requests from the application processor to the baseband processor;
    - monitoring of communication interfaces or memory areas shared between application processor and baseband processor for atypical communication patterns,
    - monitoring of communication interfaces and memory areas shared between application processor and baseband for patterns associated with exploit attempts,
    - collecting information obtained from the baseband processor's debugging output; and preferably wherein the monitoring of communication interfaces or memory areas shared between application processor and baseband for patterns associated with exploit attempts, comprises one or more of the following:
    - Monitoring malformated messages or data structures or very large data blocks;
    - Monitoring the usage of procedures, functions, features or messages not seen in normal operations;
    - Monitoring attempts to access memory areas not consistent with normal operations;
    and preferably wherein the collecting of information obtained from the baseband processor's debugging output comprises one or more of the following:
    timing and volume of voice call setup,
    timing and volume of data transmission,
    timing and volume of SMS message transmission,
    timing and sequence of establishment of traffic channels.
  12. Mobile device according to any of the claims 9 to 11, wherein the evaluator component is configured to flag the absence of standard A5/1, A5/2, or A5/3 link encryption on GSM or 3G/UMTS/W-CDMA mobile networks which leads the defense component to issue a warning to the mobile device's user that link encryption has been deactivated.
  13. Mobile device according to any of the claims 9 to 12, wherein the evaluator component is configured to flag the presence of a rogue base station that does not belong to the legitimate mobile network and the defense component warning the mobile device's user that a rogue base station (a so-called "IMSI catcher") has been detected and/or the defense component shutting down the baseband processor in order to prevent exploitation;
    and preferably wherein the evaluator component is configured to flag the presence of a rogue base station that does not belong to the legitimate mobile network using one or more of the following information:
    - cell identification, distance, and signal strength,
    - signal growth/attenuation,
    - forced network change from 3G to 2G network,
    - unusual changes in the list of neighboring cells,
    - unusual configuration parameters of the mobile base -station designed to make it appear more 'attractive' to the targeted mobile device(s),
    - network parameters not consistent with the mobile device's location and/or the currently selected mobile network operator
  14. Mobile device according to any of the claims 9 to 13, wherein the evaluator component is configured to categorizes activities on the baseband processor in different classes ranging from normal/inconspicious to highly suspicious,
    and preferably wherein the evaluator is configured to plot all the events in a diagram that shows baseband activity and suspectedness of baseband activities over time and that is displayed on either the mobile device's screen or an external display device.
    and preferably wherein the evaluator component is configured to compile the information on suspectedness of baseband activities over time in one single integrated graphical representation of the overall threat level in respect to the mobile device's baseband processor or in the form of a 'threat level thermometer' that is displayed on either the mobile device's screen or an external display device.
  15. Mobile device according to any of the claims 9 to 14, wherein the evaluator component is configured to record baseband activity in a log file that can subsequently be read and combined with log files from other mobile devices by the reporter component in order to arrive at an overview of the aggregated threat level to which multiple mobile devices are subject to.
  16. Mobile device according to any of the claims 9 to 15, wherein the evaluator component is configured to transmit data on baseband activity and network parameters to a remote reporter entity which performs additional location-based analytics to determine the locations of hostile networks.
    and preferably wherein the reporter remote analytics entity is configured to send out warnings and configuration changes to mobile devices in respect to detected hostile network activity.
    and preferably wherein the reporter remote analytics entity is configured to send out warnings about hostile network activity to dedicated connected devices which are mounted as stationary sensors in sensitive areas for the primary purpose of informing users who do not have the baseband monitor component installed on their mobile devices about ongoing suspicious/illegitimate activities.
EP13167024.2A 2012-06-29 2013-05-08 Mobile device and method to monitor a baseband processor in relation to the actions on an application processor Active EP2680182B1 (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US201261666742P 2012-06-29 2012-06-29

Publications (2)

Publication Number Publication Date
EP2680182A1 true EP2680182A1 (en) 2014-01-01
EP2680182B1 EP2680182B1 (en) 2016-03-16

Family

ID=48325465

Family Applications (1)

Application Number Title Priority Date Filing Date
EP13167024.2A Active EP2680182B1 (en) 2012-06-29 2013-05-08 Mobile device and method to monitor a baseband processor in relation to the actions on an application processor

Country Status (1)

Country Link
EP (1) EP2680182B1 (en)

Cited By (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9152787B2 (en) 2012-05-14 2015-10-06 Qualcomm Incorporated Adaptive observation of behavioral features on a heterogeneous platform
US9298494B2 (en) 2012-05-14 2016-03-29 Qualcomm Incorporated Collaborative learning for efficient behavioral analysis in networked mobile device
US9319897B2 (en) 2012-08-15 2016-04-19 Qualcomm Incorporated Secure behavior analysis over trusted execution environment
US9324034B2 (en) 2012-05-14 2016-04-26 Qualcomm Incorporated On-device real-time behavior analyzer
US9330257B2 (en) 2012-08-15 2016-05-03 Qualcomm Incorporated Adaptive observation of behavioral features on a mobile device
US9491187B2 (en) 2013-02-15 2016-11-08 Qualcomm Incorporated APIs for obtaining device-specific behavior classifier models from the cloud
US9495537B2 (en) 2012-08-15 2016-11-15 Qualcomm Incorporated Adaptive observation of behavioral features on a mobile device
US9609456B2 (en) 2012-05-14 2017-03-28 Qualcomm Incorporated Methods, devices, and systems for communicating behavioral analysis information
US9686023B2 (en) 2013-01-02 2017-06-20 Qualcomm Incorporated Methods and systems of dynamically generating and using device-specific and device-state-specific classifier models for the efficient classification of mobile device behaviors
US9684870B2 (en) 2013-01-02 2017-06-20 Qualcomm Incorporated Methods and systems of using boosted decision stumps and joint feature selection and culling algorithms for the efficient classification of mobile device behaviors
US9690635B2 (en) 2012-05-14 2017-06-27 Qualcomm Incorporated Communicating behavior information in a mobile computing device
US9742559B2 (en) 2013-01-22 2017-08-22 Qualcomm Incorporated Inter-module authentication for securing application execution integrity within a computing device
US9747440B2 (en) 2012-08-15 2017-08-29 Qualcomm Incorporated On-line behavioral analysis engine in mobile device with multiple analyzer model providers
US10089582B2 (en) 2013-01-02 2018-10-02 Qualcomm Incorporated Using normalized confidence values for classifying mobile device behaviors
US10149343B2 (en) 2015-05-11 2018-12-04 Apple Inc. Use of baseband triggers to coalesce application data activity
EP3687120A1 (en) * 2019-01-25 2020-07-29 Usecrypt S.A. Mobile communication device and method of determining security status thereof
CN112640571A (en) * 2018-08-23 2021-04-09 约翰·梅扎林瓜联合有限公司 System and method for creating and managing private sub-networks of LTE base stations
US11144079B2 (en) 2013-02-11 2021-10-12 Graco Minnesota Inc. Remote monitoring for fluid applicator system
US11228910B2 (en) 2019-01-25 2022-01-18 V440 Spó£Ka Akcyjna Mobile communication device and method of determining security status thereof
US11934211B2 (en) 2023-04-07 2024-03-19 Graco Minnesota Inc. Paint sprayer distributed control and output volume monitoring architectures

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE102006016994A1 (en) * 2006-04-11 2007-10-18 Giesecke & Devrient Gmbh Recording the resource consumption
US20090260081A1 (en) * 2008-04-14 2009-10-15 Tecsys Development, Inc. System and Method for Monitoring and Securing a Baseboard Management Controller
US20100121916A1 (en) * 2008-11-12 2010-05-13 Lin Yeejang James Method for adaptively building a baseline behavior model
US20100251370A1 (en) * 2009-03-26 2010-09-30 Inventec Corporation Network intrusion detection system
US20120096539A1 (en) * 2006-11-27 2012-04-19 Juniper Networks, Inc. Wireless intrusion prevention system and method

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE102006016994A1 (en) * 2006-04-11 2007-10-18 Giesecke & Devrient Gmbh Recording the resource consumption
US20120096539A1 (en) * 2006-11-27 2012-04-19 Juniper Networks, Inc. Wireless intrusion prevention system and method
US20090260081A1 (en) * 2008-04-14 2009-10-15 Tecsys Development, Inc. System and Method for Monitoring and Securing a Baseboard Management Controller
US20100121916A1 (en) * 2008-11-12 2010-05-13 Lin Yeejang James Method for adaptively building a baseline behavior model
US20100251370A1 (en) * 2009-03-26 2010-09-30 Inventec Corporation Network intrusion detection system

Cited By (32)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9609456B2 (en) 2012-05-14 2017-03-28 Qualcomm Incorporated Methods, devices, and systems for communicating behavioral analysis information
US9189624B2 (en) 2012-05-14 2015-11-17 Qualcomm Incorporated Adaptive observation of behavioral features on a heterogeneous platform
US9202047B2 (en) 2012-05-14 2015-12-01 Qualcomm Incorporated System, apparatus, and method for adaptive observation of mobile device behavior
US9292685B2 (en) 2012-05-14 2016-03-22 Qualcomm Incorporated Techniques for autonomic reverting to behavioral checkpoints
US9298494B2 (en) 2012-05-14 2016-03-29 Qualcomm Incorporated Collaborative learning for efficient behavioral analysis in networked mobile device
US9898602B2 (en) 2012-05-14 2018-02-20 Qualcomm Incorporated System, apparatus, and method for adaptive observation of mobile device behavior
US9324034B2 (en) 2012-05-14 2016-04-26 Qualcomm Incorporated On-device real-time behavior analyzer
US9152787B2 (en) 2012-05-14 2015-10-06 Qualcomm Incorporated Adaptive observation of behavioral features on a heterogeneous platform
US9349001B2 (en) 2012-05-14 2016-05-24 Qualcomm Incorporated Methods and systems for minimizing latency of behavioral analysis
US9690635B2 (en) 2012-05-14 2017-06-27 Qualcomm Incorporated Communicating behavior information in a mobile computing device
US9747440B2 (en) 2012-08-15 2017-08-29 Qualcomm Incorporated On-line behavioral analysis engine in mobile device with multiple analyzer model providers
US9495537B2 (en) 2012-08-15 2016-11-15 Qualcomm Incorporated Adaptive observation of behavioral features on a mobile device
US9330257B2 (en) 2012-08-15 2016-05-03 Qualcomm Incorporated Adaptive observation of behavioral features on a mobile device
US9319897B2 (en) 2012-08-15 2016-04-19 Qualcomm Incorporated Secure behavior analysis over trusted execution environment
US10089582B2 (en) 2013-01-02 2018-10-02 Qualcomm Incorporated Using normalized confidence values for classifying mobile device behaviors
US9686023B2 (en) 2013-01-02 2017-06-20 Qualcomm Incorporated Methods and systems of dynamically generating and using device-specific and device-state-specific classifier models for the efficient classification of mobile device behaviors
US9684870B2 (en) 2013-01-02 2017-06-20 Qualcomm Incorporated Methods and systems of using boosted decision stumps and joint feature selection and culling algorithms for the efficient classification of mobile device behaviors
US9742559B2 (en) 2013-01-22 2017-08-22 Qualcomm Incorporated Inter-module authentication for securing application execution integrity within a computing device
US11592850B2 (en) 2013-02-11 2023-02-28 Graco Minnesota Inc. Remote monitoring for fluid applicator system
US11372432B2 (en) 2013-02-11 2022-06-28 Graco Minnesota Inc. Remote monitoring for fluid applicator system
US11698650B2 (en) 2013-02-11 2023-07-11 Graco Minnesota Inc. Remote monitoring for fluid applicator system
US11630470B2 (en) 2013-02-11 2023-04-18 Graco Inc. Remote monitoring for fluid applicator system
US11144079B2 (en) 2013-02-11 2021-10-12 Graco Minnesota Inc. Remote monitoring for fluid applicator system
US11249498B2 (en) 2013-02-11 2022-02-15 Graco Minnesota Inc. Remote monitoring for fluid applicator system
US9491187B2 (en) 2013-02-15 2016-11-08 Qualcomm Incorporated APIs for obtaining device-specific behavior classifier models from the cloud
US10149343B2 (en) 2015-05-11 2018-12-04 Apple Inc. Use of baseband triggers to coalesce application data activity
CN112640571A (en) * 2018-08-23 2021-04-09 约翰·梅扎林瓜联合有限公司 System and method for creating and managing private sub-networks of LTE base stations
US11228910B2 (en) 2019-01-25 2022-01-18 V440 Spó£Ka Akcyjna Mobile communication device and method of determining security status thereof
EP3687120A1 (en) * 2019-01-25 2020-07-29 Usecrypt S.A. Mobile communication device and method of determining security status thereof
US11934210B2 (en) 2022-07-08 2024-03-19 Graco Minnesota Inc. Paint sprayer distributed control and output volume monitoring architectures
US11934211B2 (en) 2023-04-07 2024-03-19 Graco Minnesota Inc. Paint sprayer distributed control and output volume monitoring architectures
US11934212B2 (en) 2023-04-07 2024-03-19 Graco Minnesota Inc. Paint sprayer distributed control and output volume monitoring architectures

Also Published As

Publication number Publication date
EP2680182B1 (en) 2016-03-16

Similar Documents

Publication Publication Date Title
US9191823B2 (en) Mobile device and method to monitor a baseband processor in relation to the actions on an applicaton processor
EP2680182B1 (en) Mobile device and method to monitor a baseband processor in relation to the actions on an application processor
EP3375159B1 (en) Dynamic honeypot system
EP3681120B1 (en) Method and device for accessing device identifiers
US20130055387A1 (en) Apparatus and method for providing security information on background process
US20120222120A1 (en) Malware detection method and mobile terminal realizing the same
EP2562673B1 (en) Apparatus and method for securing mobile terminal
US20130254880A1 (en) System and method for crowdsourcing of mobile application reputations
EP3343968B1 (en) Monitoring apparatus, device monitoring system and method of monitoring a plurality of networked devices
CN104462970A (en) Android application program permission abuse detecting method based on process communication
CN105263142A (en) Method and device for identifying pseudo base station
CN102082802A (en) Behavior-based mobile terminal security protection system and method
CN110149599B (en) Short message protection method and terminal equipment
CN101257678A (en) Method, terminal and system for realizing mobile terminal software safe detection
CN110622539A (en) Detecting a fake cell tower
KR20120136126A (en) Method and apparatus for treating malicious action in mobile terminal
US8923815B1 (en) Method for detecting changes in security level in mobile networks
CN106709282B (en) resource file decryption method and device
CN102509054A (en) Mobile terminal and application program control method for mobile terminal
CN105550584A (en) RBAC based malicious program interception and processing method in Android platform
CN105069374A (en) Private data intercepting protection method and system
CN110502926A (en) Privacy closes rule detection method and device
US8391838B2 (en) Secure mobile communication system and method
CN102572814B (en) A kind of mobile terminal virus monitor method, system and device
KR101284013B1 (en) Smartphone Malicious Application Detect System and Method based on Client Program

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20131107

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

AX Request for extension of the european patent

Extension state: BA ME

17Q First examination report despatched

Effective date: 20150205

GRAP Despatch of communication of intention to grant a patent

Free format text: ORIGINAL CODE: EPIDOSNIGR1

INTG Intention to grant announced

Effective date: 20151123

GRAS Grant fee paid

Free format text: ORIGINAL CODE: EPIDOSNIGR3

GRAA (expected) grant

Free format text: ORIGINAL CODE: 0009210

INTG Intention to grant announced

Effective date: 20160115

AK Designated contracting states

Kind code of ref document: B1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

REG Reference to a national code

Ref country code: GB

Ref legal event code: FG4D

REG Reference to a national code

Ref country code: CH

Ref legal event code: EP

REG Reference to a national code

Ref country code: IE

Ref legal event code: FG4D

REG Reference to a national code

Ref country code: AT

Ref legal event code: REF

Ref document number: 781793

Country of ref document: AT

Kind code of ref document: T

Effective date: 20160415

REG Reference to a national code

Ref country code: DE

Ref legal event code: R096

Ref document number: 602013005471

Country of ref document: DE

REG Reference to a national code

Ref country code: SE

Ref legal event code: TRGR

REG Reference to a national code

Ref country code: FR

Ref legal event code: PLFP

Year of fee payment: 4

REG Reference to a national code

Ref country code: NO

Ref legal event code: T2

Effective date: 20160316

REG Reference to a national code

Ref country code: NL

Ref legal event code: FP

REG Reference to a national code

Ref country code: LT

Ref legal event code: MG4D

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: GR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20160617

Ref country code: HR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20160316

REG Reference to a national code

Ref country code: AT

Ref legal event code: MK05

Ref document number: 781793

Country of ref document: AT

Kind code of ref document: T

Effective date: 20160316

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: LV

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20160316

Ref country code: RS

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20160316

Ref country code: BE

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20160531

Ref country code: LT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20160316

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: IS

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20160716

Ref country code: PL

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20160316

Ref country code: EE

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20160316

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: CZ

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20160316

Ref country code: AT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20160316

Ref country code: RO

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20160316

Ref country code: ES

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20160316

Ref country code: PT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20160718

Ref country code: SK

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20160316

Ref country code: SM

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20160316

REG Reference to a national code

Ref country code: DE

Ref legal event code: R097

Ref document number: 602013005471

Country of ref document: DE

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: LU

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20160508

Ref country code: BE

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20160316

Ref country code: IT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20160316

PLBE No opposition filed within time limit

Free format text: ORIGINAL CODE: 0009261

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: NO OPPOSITION FILED WITHIN TIME LIMIT

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: DK

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20160316

26N No opposition filed

Effective date: 20161219

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: BG

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20160616

REG Reference to a national code

Ref country code: FR

Ref legal event code: PLFP

Year of fee payment: 5

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: SI

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20160316

REG Reference to a national code

Ref country code: FR

Ref legal event code: PLFP

Year of fee payment: 6

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: CY

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20160316

Ref country code: HU

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT; INVALID AB INITIO

Effective date: 20130508

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: MT

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20160531

Ref country code: MC

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20160316

Ref country code: TR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20160316

Ref country code: MK

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20160316

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: AL

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20160316

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: NO

Payment date: 20230519

Year of fee payment: 11

Ref country code: NL

Payment date: 20230519

Year of fee payment: 11

Ref country code: IE

Payment date: 20230516

Year of fee payment: 11

Ref country code: FR

Payment date: 20230502

Year of fee payment: 11

Ref country code: DE

Payment date: 20230531

Year of fee payment: 11

Ref country code: CH

Payment date: 20230605

Year of fee payment: 11

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: SE

Payment date: 20230522

Year of fee payment: 11

Ref country code: FI

Payment date: 20230523

Year of fee payment: 11

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: GB

Payment date: 20230502

Year of fee payment: 11